Skip to content

Instantly share code, notes, and snippets.

@pingiun
Last active April 13, 2019 11:47
Show Gist options
  • Save pingiun/85033d048206558cf6a46f2061e3624b to your computer and use it in GitHub Desktop.
Save pingiun/85033d048206558cf6a46f2061e3624b to your computer and use it in GitHub Desktop.
The nixos configuration file I use to use mac.jelle.space for my macbook
let
wireguardPort = 51820;
tunnels = [ {
ipv4Addr = { addr = "195.201.249.203"; suffix = 32; };
ipv6Addr = { addr = "2a01:4f8:c2c:2b57::2"; suffix = 128; };
wgPublicKey = "3WWr1zr3ry6KeAwr3Cw3mQsnBeLLUYs1DGa7iEwyAWA=";
} ];
mkAddrWithSuffix = (x: "${x.addr}/${toString x.suffix}" );
server = { config, pkgs, ... }: {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
networking.hostName = "server.jelle.space"; # Define your hostname.
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim wireguard wireguard-tools
];
boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
# Hetzner needs a static configuration for ipv6
networking.interfaces.ens3.ipv6.addresses = [ {
address = "2a01:4f8:c2c:2b57::1";
prefixLength = 64;
} ];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "ens3";
};
# Enable proxying for the tunneling peers
networking.interfaces.ens3.proxyARP = true;
networking.wireguard.interfaces.wg0 = {
ips = [ "10.4.0.1/24" "fd00:4242:0:1::1/64" ];
listenPort = wireguardPort;
privateKeyFile = config.deployment.keys.privkey-wireguard.path;
allowedIPsAsRoutes = true;
peers =
# Tunneled peers, defined in top of file
(map (p: {
publicKey = p.wgPublicKey;
allowedIPs = (map mkAddrWithSuffix [ p.ipv4Addr p.ipv6Addr ]);
}) tunnels)
++
[
{
publicKey = "j1N3Ca5R6deUM1IBpfrdkdGVoPVERvIIhW2aN7NdNH4=";
allowedIPs = [ "10.3.0.0/16" ];
endpoint = "213.124.166.73:51820";
}
];
};
# Ip forwarding is needed for the tunnels
boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1; };
networking.firewall.enable = true;
# Set to true by default, but included for expliciteness
networking.firewall.allowPing = true;
networking.firewall.allowedUDPPorts = [ wireguardPort ];
# Needed for routing the tunnels?
networking.firewall.checkReversePath = "loose";
# Immutable users are nice to have
users.mutableUsers = false;
users.users.jelle = {
isNormalUser = true;
description = "Jelle Besseling";
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICunYiTe1MOJsGC5OBn69bewMBS5bCCE1WayvM4DZLwE jelle@Jelles-Macbook-Pro.local" ];
passwordFile = config.deployment.keys.password-jelle.path;
};
users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1hSb1eyjoKjqIqfqy9rwf1ubSjnrXGZjBwPbhlN0u1 NixOps client key for personal" ];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
system.autoUpgrade.enable = true;
};
in {
personal = server;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment